Hi, > The virus get into the user machine by e-mail from other ISPs. Thats > noway i can block e-mail ports. I blocked ports TCP 4444,135,445 and > UDP 69, known as ports that w32.blaster and others worms use to spread > in the network. I really want to be able to scan every package that > pass through the firewall and see from witch host its comming from. > Ex: host-192.168.1.175 is sending strange packages that maybe a virus > attack. as somebody already suggested you should install the snort intrusion detection system on the FC2 box (http://www.snort.org). Then you should search for snort pattern files regarding these worms (some are included in the standard packages, but perhaps not all you need). It's also possible to configure snort such a way, that it acts as an intrusion prevention system, that is it will cut a connection if it detects some worm activity. But be warned: it's not trivial to set up and run a network intrusion detection/prevention system correctly. Depending on your current knowledge you may have to learn a lot. Especially if you configure it as an intrusion prevention system changes are that you cut internet access for all machines by, e.g. blocking the name servers. -volker